Questions[kerio](server)

I have a reverse proxy running on port 80 to serve as a "gateway" to update Let's Encrypt certificates on VMs inside my network. This reverse proxy is only exposed for 5 minutes per week on port 80 for this reason. I have a number of domains that pass through this server to be forwarded to their internal IP addresses. This all works fine, however there is one server exposed to the internet on port 443. When I make a request to the correct domain name using https, all is fine. When I use one of the other domains, I of course get an invalid certificate error. That is why I was thinking of routing port 443 traffic through the reverse proxy so I'll be able to block traffic not targetting the one domain that is exposed and running on 443. Nginx however expects a valid certificate which I can't give it because it's on another server.

The server I'm running on port 443 is Kerio Mailserver.. maybe there is something I can do there to force the use of only one domain name?

Is there a way of handling this? Just in case you're wondering: the other servers don't need exposing.

I'm attempting to connect Kerio to an Open Directory instance. I'm using kinit to test the setup, and I get the following:

$ kinit -V -S host/[email protected] [email protected]
Please enter the password for [email protected]:
Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

This occurs, even though I am 100% sure that the password is correct. Either way, I am more concerned with regards to the part of the message that says

Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

From the server running OD, and a second in house server I get the same error message. I can dig and ping server.domain.co.uk correctly from both servers, so it boggles my mind what could be wrong.

I need this to be working before I can move forward and connect up the Kerio instance to my OD.

edu.mit.kerberos

[libdefaults]
    default_realm = SERVER.domain.CO.UK
[realms]
    SERVER.domain.CO.UK = {
        admin_server = server.domain.co.uk
        kdc = server.domain.co.uk
    }
[domain_realm]
    domain.co.uk = SERVER.domain.CO.UK
    .domain.co.uk = SERVER.domain.CO.UK
[logging]
    admin_server = FILE:/var/log/krb5kdc/kadmin.log
    kdc = FILE:/var/log/krb5kdc/kdc.log

SERVER is the real hostname for the machine in question, and domain.co.uk is my FQDN, or at least replacing my FQDN

Thanks for any assistance.

I need to run a redundant backup mail server in case the main one goes down.

The settings in GoDaddy look something like the following:

A (Host)

Host    Points to

@       ip address of mail1 41.x.x.x
mail1   ip address of mail1 41.x.x.x
mail2   ip address of mail2 196.x.x.x

MX

Priority    host         points to

10               @           mail1.mydomain.com
20               @           mail2.mydomain.com

When mail1 goes down, mail2 is able to get emails. I can access it through the browser with no problem, but I want my users to able to pop3/smtp as well without changing anything in their outlook. I dont want any impact to the users when mail1 is down.

Also, I'm using the windows server DFS to keep both folders of the mails in sync. Is this the right way, or should I be using something else?

We have Kerio Connect (mail server) running on a Windows Server 2003 server on a domain. In the webmail client, users are able to change their domain password. This functionality used to work fine until a user tried to change their password a few days ago, when every password they'd try would result in the webmail client claiming their password was "invalid". I spoke to Kerio about this and they claim that this error is returned by the domain controller, which supports my initial investigations.

The error that the DC is logging when an attempt is made to change the password is this:

"80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece"

The "data 52e" part indicates that this is an "invalid credentials" error. I don't see how this can be as I've tried (in the Kerio Connect configuration) various accounts that have privileges to modify accounts, including my own as I am a domain admin.

I have ran 'dcdiag' (all tests) on the DC and it came back passing every single one of them. I've searched high and low for an answer to this and came up empty.

Does anyone have any idea why this may have suddenly started happening?

Thanks!

Edit: I should mention that the passwords we are changing to do comply with the complexity policy.

We are considering a change of email servers and Kerio Connect is attractive. However, I am concerned about calendaring functionality. I found an old forum post that states the question well:

"We want to create a single public calendar that everyone can see - using Windows XP/Outlook 2003/KOC 6.4.1. We want a way for people to put an entry in their own personal calendar and some how mark it so the entry auto add's or syncs with the public one. If an entry is private it wouldn't sync to the shared public calendar...

Has anyone ever heard of a way to do this - in any way with any software?"

This is a high priority feature, so if Kerio cannot do this, we may consider Exchange. Does Exchange provide functionality like that described?